custom domain nginx reverse proxy header size

custom-domain/dstack-ingress/README.md

@@ -180,6 +180,9 @@ configs:
 - `PROXY_READ_TIMEOUT`: Optional value for nginx `proxy_read_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode
 - `PROXY_SEND_TIMEOUT`: Optional value for nginx `proxy_send_timeout` (numeric with optional `s|m|h` suffix, e.g. `30s`) in single-domain mode
 - `PROXY_CONNECT_TIMEOUT`: Optional value for nginx `proxy_connect_timeout` (numeric with optional `s|m|h` suffix, e.g. `10s`) in single-domain mode
+- `PROXY_BUFFER_SIZE`: Optional value for nginx `proxy_buffer_size` (numeric with optional `k|m` suffix, e.g. `128k`) in single-domain mode
+- `PROXY_BUFFERS`: Optional value for nginx `proxy_buffers` (format: `number size`, e.g. `4 256k`) in single-domain mode
+- `PROXY_BUSY_BUFFERS_SIZE`: Optional value for nginx `proxy_busy_buffers_size` (numeric with optional `k|m` suffix, e.g. `256k`) in single-domain mode
 - `CERTBOT_STAGING`: Optional; set this value to the string `true` to set the `--staging` server option on the [`certbot` cli](https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options)
 
 **Backward Compatibility:**

custom-domain/dstack-ingress/scripts/entrypoint.sh

@@ -28,6 +28,15 @@ fi
 if ! PROXY_CONNECT_TIMEOUT=$(sanitize_proxy_timeout "$PROXY_CONNECT_TIMEOUT"); then
     exit 1
 fi
+if ! PROXY_BUFFER_SIZE=$(sanitize_proxy_buffer_size "$PROXY_BUFFER_SIZE"); then
+    exit 1
+fi
+if ! PROXY_BUFFERS=$(sanitize_proxy_buffers "$PROXY_BUFFERS"); then
+    exit 1
+fi
+if ! PROXY_BUSY_BUFFERS_SIZE=$(sanitize_proxy_buffer_size "$PROXY_BUSY_BUFFERS_SIZE"); then
+    exit 1
+fi
 if ! TXT_PREFIX=$(sanitize_dns_label "$TXT_PREFIX"); then
     exit 1
 fi
@@ -117,6 +126,21 @@ setup_nginx_conf() {
         proxy_connect_timeout_conf="        ${PROXY_CMD}_connect_timeout ${PROXY_CONNECT_TIMEOUT};"
     fi
 
+    local proxy_buffer_size_conf=""
+    if [ -n "$PROXY_BUFFER_SIZE" ]; then
+        proxy_buffer_size_conf="    proxy_buffer_size ${PROXY_BUFFER_SIZE};"
+    fi
+
+    local proxy_buffers_conf=""
+    if [ -n "$PROXY_BUFFERS" ]; then
+        proxy_buffers_conf="    proxy_buffers ${PROXY_BUFFERS};"
+    fi
+
+    local proxy_busy_buffers_size_conf=""
+    if [ -n "$PROXY_BUSY_BUFFERS_SIZE" ]; then
+        proxy_busy_buffers_size_conf="    proxy_busy_buffers_size ${PROXY_BUSY_BUFFERS_SIZE};"
+    fi
+
     cat <<EOF >/etc/nginx/conf.d/default.conf
 server {
     listen ${PORT} ssl;
@@ -153,6 +177,9 @@ server {
 
     # SSL buffer size (optimized for TLS 1.3)
     ssl_buffer_size 4k;
+${proxy_buffer_size_conf}
+${proxy_buffers_conf}
+${proxy_busy_buffers_size_conf}
 
     # Disable SSL renegotiation
     ssl_early_data off;

custom-domain/dstack-ingress/scripts/functions.sh

@@ -83,6 +83,35 @@ sanitize_proxy_timeout() {
     fi
 }
 
+sanitize_proxy_buffer_size() {
+    local candidate="$1"
+    if [ -z "$candidate" ]; then
+        echo ""
+        return 0
+    fi
+    if [[ "$candidate" =~ ^[0-9]+[kKmM]?$ ]]; then
+        echo "$candidate"
+    else
+        echo "Warning: Ignoring invalid proxy buffer size value: $candidate" >&2
+        echo ""
+    fi
+}
+
+sanitize_proxy_buffers() {
+    local candidate="$1"
+    if [ -z "$candidate" ]; then
+        echo ""
+        return 0
+    fi
+    # Format: number size (e.g., "4 256k")
+    if [[ "$candidate" =~ ^[0-9]+[[:space:]]+[0-9]+[kKmM]?$ ]]; then
+        echo "$candidate"
+    else
+        echo "Warning: Ignoring invalid proxy buffers value: $candidate (expected format: 'number size', e.g., '4 256k')" >&2
+        echo ""
+    fi
+}
+
 get_letsencrypt_account_path() {
     local base_path="/etc/letsencrypt/accounts"
     local api_endpoint="acme-v02.api.letsencrypt.org"